As expected, Apple on announced a series of significant changes to the way Macs, iPads, iPhones and Apple TVs are managed in corporate and educational environments. These changes largely fall into two groups: those that affect overall device management and those that apply to declarative management (a new type of device management that Apple introduced in iOS 15 last year).
It is important to look at each group individually to fully understand the changes.
How did Apple change global device management?
Apple Configurator for iPhone received a major expansion. It has long been a manual method of managing iPhones and iPads rather than using automated or self-enrollment tools. The tool originally came as a Mac app that could configure devices, but it had one major drawback: devices had to be connected via USB to the Mac running the app. This had obvious implications in terms of time and manpower in something other than a small environment.
Last year, Apple introduced a version of Configurator for iPhone that reversed the workflow of the original, meaning an iPhone version of the app can be used wirelessly to enroll Macs for management. It was primarily used to enroll Macs purchased outside of Apple’s business/education channel into Apple Business Manager (Apple products purchased through the channel can be automatically enrolled with a zero-touch configuration).
The iPhone incarnation is incredibly simple. During the setup process, point an iPhone camera at an animation on the Mac screen (much like pairing an Apple Watch) and that triggers the enrollment process.
The big change this year is that Apple has expanded the use of Apple Configurator for iPhone to support iPad and iPhone enrollment using the same process, removing the requirement for devices to be connected to a Mac. This greatly reduces the time and effort required to enroll these devices. There is one caveat: devices that require mobile activation or have activation locked down must manually complete that activation before Configurator can be used.
Apple has made useful changes for identity management in enterprise environments. Most importantly, it now supports additional identity providers, including Google Workspace and Oauth 2, enabling a wide range of providers. (Azure AD was already supported.) These identity providers can be used in conjunction with Apple Business Manager to generate Managed Apple IDs for employees.
The company also announced that single sign-on support will be rolled out to all of its platforms after macOS Ventura and iOS/iPadOS16 are released this fall. The goal here is to make user enrollment easier and more streamlined by requiring users to authenticate only once. Apple also announced Platform Single Sign-on, an effort to extend and streamline access to business apps and websites every time they sign in to their device(s).
Managed networks by app
Apple has long had per-app VPN capabilities, allowing only specific business or work-related apps to use an active VPN connection. This applies VPN security, but limits the VPN load by sending only specific app traffic over a VPN connection. With macOS Ventura and iOS/iPadOS 16, Apple is adding per-app DNS proxy and per-app web content filtering. This helps secure traffic for specific apps and works the same as a per-app VPN. And this requires no changes to the apps themselves. DNS proxy supports system wide or app options while content filtering supports system wide or up to seven per app instances.
For iPhones that support eSIMs, Apple allows Mobile Device Management Software (MDM) to configure and provision an eSIM. This can include provisioning a new device, migrating carriers, using multiple carriers, or reconfiguring travel and roaming.
Manage accessibility settings
Apple is known for its comprehensive suite of accessibility features for those with special needs. In fact, many people with no special needs also use some of these features. In iOS/iPadOS 16, Apple MDM allows you to automatically enable and configure a handful of the most common features, including: text size, voiceover, zoom, touch accommodations, bold text, reduce motion, increase contrast, and reduce transparency. This will be a welcome resource in areas such as special education or hospital and healthcare settings where devices can be shared by users with special needs.
What’s new in Apple’s declarative management process?
Apple last year unveiled Declarative Management as an improvement over the original MDM protocol. The big advantage is that it moves much of the business logic, compliance, and management from the MDM service to any device. As a result, devices can proactively monitor their health. That eliminates the need for the MDM service to constantly poll their device status and issue commands in response. Instead, devices make those changes based on their current state and based on the statements sent to them and report back to the service.
Declarative management relies on declarations that contain things like activations and configurations. An advantage is that a declaration can contain several configurations as well as the activations that indicate when and whether the configuration must be activated. This means that a single declaration can contain all configurations for all users, along with activations that indicate which users to apply to. This reduces the need for large sets with different configurations, as the device can decide which ones to enable for the device because of the user.
This year, Apple has expanded where Declarative Management can be used. Initially, it was only available on iOS/iPadOS 15 devices that used user registration. Going forward, all Apple devices running macOS Ventura or iOS/iPadOS/tvOS 16 will be supported regardless of enrollment type. That means device registration (including monitored devices) is supported across the board, as is shared iPad (a registration type that allows multiple users to share the same iPad, each with its own configuration and files).
The company has made it crystal clear that declarative management is the future of Apple device management and that new management features will only be rolled out to the declarative model. While traditional MDM will be available indefinitely, it is obsolete and will eventually be discontinued.
This has major implications for devices that are already in use. Devices that cannot use macOS Ventura or iOS/iPadOS 16 will eventually be removed and all devices still in use will have to be replaced. Given the sheer number of devices losing support, this could be a costly transition for some organizations. While it’s not immediate, you should start by determining the size and cost of the transition and how you’ll manage it (especially since it will likely require a transition to Apple Silicon, which doesn’t support the ability to run Windows or Windows apps). , in the process).
In addition to expanding which products can use declarative management, Apple has also expanded functionality, including support for password configuration, corporate accounts, and MDM-driven app installation.
The passcode option is more complex than just requiring a passcode of a certain type. Passcode compliance has traditionally been required for certain security-related configurations, such as sending the company’s Wi-Fi configuration to a device. In the declarative model, those configurations can be sent to the device before a passcode is set. They are sent along with the required passcode and contain an activation that will only enable it once the user has created a passcode that complies with that policy. After the user sets a passcode, the device detects the change and enables the WiFi configuration with multiple connections to the MDM service, immediately enabling WiFi and informing the service that it has been activated.
Accounts — which can contain things like email, notes, calendars, and subscribed calendars — work the same way. A declaration can specify all types of accounts that are supported within the organization, as well as all subscribed calendars. The device then determines – based on the user account and the role(s) within the organization – to activate and enable.
MDM app installation is the most important addition to declarative management, as app installation is one of the tasks that puts the most burden on an MDM and is the biggest bottleneck during mass device activations (such as major onboarding of new employees, rollout of new devices, or the first day of school). A statement can specify all possible apps that must be installed upon activation and sent to a device, even before it is handed over to the user. Again, the device determines which app installation configurations to activate and make available based on the user. This prevents each device from repeatedly requesting the service and downloading apps and their configurations. It also simplifies and speeds up the process of enabling (or disabling) apps as a user’s role changes.
These are important improvements and it’s easy to see why these are the first additions to Declarative Management after the initial rollout. There are still MDM capabilities that haven’t made the leap to declarative use yet, but it’s clear they will eventually—perhaps next year.
This is one of the most important WWDC announcements for enterprises, and it’s nice to see that Apple has put a lot of thought into which features to add or update, as it tackles most of the issues that were difficult, time-consuming, labor-intensive, or tedious. Apple not only caters to the needs of business customers, but also shows that it understands these needs.
Copyright © 2022 IDG Communications, Inc.